Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojen-Spy.HTML.Smitfraud.c


  • Please log in to reply

#1
grotting

grotting

    Member

  • Member
  • PipPip
  • 14 posts
I'm working with my niece's Presario model 7AP140 with Windows 98 installed. The only way I can access the system is by booting with a bootdisk that I downloaded from bootdisk.com. With instructions that I found on this forum, I was able to edit system.ini and change the shell from Explorer.exe to Progman.exe then reboot normaly with Program Manager on top of the blue screen. From there I've been able to run Cleanup to get rid of temp files. I have no Internet connection, so I'm having to download to my computer then transfer to the sick computer with flopies or CD-ROM (the CD_ROM is still working). I've been able to run Ad-aware SE. When I try to run CWShredder, I get an illegal operation msg. and it won't run. Spybot S&D won't install, get the following error msg. Setup: CoCreatelnstance failed; code 0x80040154. Class not registered. After three of these with differant numbers, the program loads, but when I try to run it, it won't, because it try's to get the updates. Since my internet connection is down, I can't do any of the online scans that are recomended on the instruction page. When I run HijackThis, it starts the scan, then stops after 2 seconds, pops up the following error msg Jewel Case Creator: The selected file is not a valid jewelcase document. When I click on OK, the following msg pops up; Cdjewel: This program has preformed an illegal operation and will be shut down. I closed the window and hit scan, it continued the scan, but I don't know if it is a compleat scan or not.

Any solutions you can offer would be greatly appreciated. Thank you.


Here's the scan


Logfile of HijackThis v1.99.1
Scan saved at 8:32:33 PM, on 5/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\CRIX32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\progman.exe
C:\HJT\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ixzcu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ixzcu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ixzcu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ixzcu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://cf.icq.com/cf...b/default.html"); (C:\Program Files\Netscape\Users\shawnana52\prefs.js)
O2 - BHO: (no name) - {3483E944-E5A1-B4A9-FF77-F0427B0070B6} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\SYSTEM\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O7 "EPUSB1:" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL
O4 - HKLM\..\Run: [WINZK.EXE] C:\WINDOWS\WINZK.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [CRIX32.EXE] C:\WINDOWS\CRIX32.EXE /s
O4 - HKLM\..\RunOnce: [test] 
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\RunOnce: [test] 
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZBzeb030YYUS
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {A4988EA0-C52A-11D9-A1EE-0010B5582DA5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4988EA0-C52A-11D9-A1EE-0010B5582DA5} - (no file) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  • 0

Advertisements


#2
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
grotting, I'm having a look at your log now, I'll have a reply for you soon.
  • 0

#3
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
grotting, you have quite a collection there, the worst being the Smitfraud Trojan. This will be difficult, because I'm going to ask you to download some programs that you will have to transfer to the infected machine. Also, I'm not certain they'll run without Explorer, but let's give it a try. When the instructions ask for the program to be updated, obviously you can't do that at the moment. Just go on without the updates.

If you reach a step where you can no longer proceed, let me know.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
Newdotnet
My Web Search


Exit Add/Remove Programs.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

While in Safe Mode, please do the following:

Run Ewido, and run a full scan. Clean any infected files found, and save the log from the scan.

Run HijackThis and place a check next to the following items:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.terafinder.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ixzcu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ixzcu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ixzcu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terafinder.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ixzcu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3483E944-E5A1-B4A9-FF77-F0427B0070B6} - (no file)
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [WINZK.EXE] C:\WINDOWS\WINZK.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\RunServices: [CRIX32.EXE] C:\WINDOWS\CRIX32.EXE /s
O4 - HKLM\..\RunOnce: [test] 
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\RunOnce: [test] 
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZBzeb030YYUS
O9 - Extra button: Microsoft AntiSpyware helper - {A4988EA0-C52A-11D9-A1EE-0010B5582DA5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4988EA0-C52A-11D9-A1EE-0010B5582DA5} - (no file) (HKCU



Then click FIX CHECKED and close HijackThis.

At this point, you should have your desktop back. If you can, please uninstall these programs in Add/Remove Programs in the Control Panel:

Reboot into normal mode.

Now, if you have your desktop back and can access the Internet, please run this online virus scan: ActiveScan - Save the results from the scan!


Restart your computer once more, and please post a new HijackThis log along with the log from Ewido, and the results from ActiveScan, if you were able to run it.
  • 0

#4
grotting

grotting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
insipid, The Ewido website says that Ewido Security Suite is not compatible with Windows 98, should i try to install it anyway? While i'm waiting for your reply i'll do what i can with the rest of the instructions.
  • 0

#5
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Thanks for bringing that up, grotting. Download the free 30-day trial of Trojan Hunter 4.0 instead and perform a full system scan.

You got me thinking, I also failed to change the file paths for Killbox to suit Windows 98. Here are the correct paths:

C:\wp.exe
C:\wp.bmp
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\WINDOWS\System\helper.exe
C:\WINDOWS\System\intmonp.exe
C:\WINDOWS\System\msmsgs.exe
C:\WINDOWS\System\ole32vbs.exe
C:\WINDOWS\System\msole32.exe
  • 0

#6
grotting

grotting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
insipid, I reran killbox with the new paths. When i did the fix checked in hijack this, i got 2 error messages, error #53 (file not found) in Sub GetLongPath(l.exe)., and error #52 (Bad file name or number) in Sub GetLongPath(.com). These errors happened twice. But the program seamed to complete ok. I ran Trojen Hunter and it found 7 entrys in the registry, i had it fix them. I changed shell= in system.ini back to explorer.exe. On reboot i get just a solid blue screen and the error message from explorer that "This program has performed an illegal operation and will be shut down". The only thing that works is to right click and bring up task manager then shut down. I rebooted from the floppy and changed the Shell= back to progman.exe. When the system is booting, during the POST, it halts and has a message referancing SHLDDRV.VXD. It says this device was not found or has been removed. Pressing a key continues the boot. I looked in system.ini, but didn't find anything, so i'm assuming that it is in the registry. Looks like some kind of vertual driver of some kind to me. Do you have any idea what it might be for? I ran Hijack This again, got those 2 error messages again refering to CDjewl document, I think it completed ok.
Its 10:30 PM my time, so I'm going to call it for tonight. Thanx for all your help insipid, I'll check the forum for replies in the morning.

New HJT log


Logfile of HijackThis v1.99.1
Scan saved at 8:45:45 PM, on 5/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\progman.exe
C:\HJT\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://cf.icq.com/cf...b/default.html"); (C:\Program Files\Netscape\Users\shawnana52\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\SYSTEM\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O7 "EPUSB1:" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  • 0

#7
grotting

grotting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
insipid, disregard my question about SHLDDRV.VXD, I found out that it was left over from an installation of Panda antivirus software. I went into the registry and removed the key so it won't interfere with the boot.
  • 0

#8
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
grotting, I've also confirmed that file as a leftover from Panda. I'm not ignoring you, I'm having trouble figuring out what could be causing this. You say you can get to Task Manager when you boot using Explorer, can you do this in Normal Mode and tell me what processes are running?

Did you try to uninstall newdotnet?

Your latest HJT log doesn't look that bad, so I'm leaning toward a corrupt Explorer.exe, but I'm going to ask around about that.
  • 0

#9
grotting

grotting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
insipid, With C:\Windows\System.ini set to [boot],Shell=Explorer.exe, system boots to a solid blue screen with password window open, (no password has been set) click on ok, window closes. There is about a 1 second flash of McCafee logo just after password window opens. After the password window closes, I get the following error message.

Explorrer caused an invalid page fault in module Explorrer.EXE at 0167:00401f31.
Registers:
EAX=00000000 cs=0167 EIP=00401f31 EFLGS=00010246
EBX=00000001 ss=016f ESP=0080feec EBP=0080fef4
ECX=d8401c30 ds=016f ESI=00000000 fs=2d8f
EDX=0080fefc es=016f EDI=00000000 gs=0000

Bytes at CS: EIP:

96 08 50 ff 11 86 45 08 50 8b 08 ff 51 08 8b 45

Stack Dump

00401ee0 0080fefc 0080ff34 00405cac 00000000
00000000 00000000 00000001 00404436 00000000
0059fc0c 00000001 00000000 00000000 00000000
00000000


When I close the error window I'm back to a solid blue screen. The only thing that I can do at this point is to hit CTRL+ALT+DEL, the Close Program window opens with 3 programs runing, Vsstat, Vshwin32,and Hidserv. If I click on End Task for each one, they close. At this point, I can Shut Down or Cancel, which leaves the solid blue screen, with nothing working.


I don't have Control Panel to get into Add/Remove Programes, so I can't uninstall newdotnet. I can load File Manager through system.ini using WinFile.exe for the Shell, but that will only allow me to delete files, not uninstall them.
  • 0

#10
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
grotting, this is baffling. I've asked for the thoughts of others, please be patient.
  • 0

Advertisements


#11
grotting

grotting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
insipid, just a side note, I booted the system up in safe mode, and the results are the same with the exception of the safe mode text in each corner. Also, task manager shows nothing running.
  • 0

#12
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
grotting, is this the exact error message you got? "Explorrer caused an invalid page fault in module Explorrer.EXE at 0167:00401f31"

Note the two 'r's in Explorrer. It's been suggested that you may have mistyped it in system.ini, but I notice you spelling explorer.exe correctly in earlier posts.

If it is the exact message, can you find it and delete that file (Safe Mode may be necessary)?

Do you have your Windows 98 Install disk? If so, is it a full version or a restore disk from the computer manufacturer?

Please post a fresh HJT log as well, to see if it's changed.
  • 0

#13
grotting

grotting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
insipid, sorry about that, it's 2 typos. I went in and chacked system.ini and it's explorer.exe. The only thing I have is the original recovery CD from Compaq.
  • 0

#14
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
grotting, the typos are no problem, it's just best to be sure. Explorrer.exe is a filename associated with a virus.

Let's try this:

Boot from floppy, and place your recovery disk in the CD drive. Type D: (it may be E:, depending on the autoexec.bat on your boot disk) and try to find explorer.exe. As it's a recovery disk, I can only guess at the path to the file, so you will need to search for it.

The file may be compressed. If the filename is 'explorer.exe', type copy explorer.exe C:\Windows\System

If the filename is 'explorer.ex_', type expand explorer.ex_ C:\Windows\System\explorer.exe

If this appears to have worked, try to boot to explorer again. This machine is very sick, I'm hoping we can get in to fix it.
  • 0

#15
grotting

grotting

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
insipid, I put the recovery CD in and it selfbooted to a window giving me these choices; 1. Emergancy Disk, 2. User Backup, 3. No User Image Found, 4. Factory Restor, 5. Exit. From File Manager, I looked at the disk and there are only 2 files; BOOTCAT.BIN and BOOTSECT.BIN. I figured the Win98 files had to be somewhere, so I used File Manager and found them at C:\windows\options\cabs. It looks like all the Windows 98 cabinet files are there plus all of the Compaq proprietary files. However when I try to extract them, extract.exe lists them but dosn't extract them to the specified folder. I used the System File Checker tool and it indicated that Explorer.exe was indeed corrupt. I let SFC replace it from the C:\windows\options\cabs directory. A subsequent run of SFC shows the system to be clean. When I reboot, the blue screen comes back. While I was looking around on the hard drive, I found the following;

C:\!submit\wp.exe

Could this have anything to do with this problem?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP